def get_content_block(self): stix_ip_list = self.cleaned_data['ip_list'] stix_ip_list = string.replace(stix_ip_list, ",", "##comma##") stix_ip_list = string.replace(stix_ip_list, ";", "##comma##") stix_ip_list = string.replace(stix_ip_list, " ", "") xml = render_to_string('stix-ip-list.xml', { 'stix_ip_list': stix_ip_list, 'description': self.cleaned_data['desc'] }) cb = tm11.ContentBlock(t.CB_STIX_XML_101, xml) return cb
def make_content(version, content_binding=CUSTOM_CONTENT_BINDING, content=CONTENT, subtype=None): if version == 10: return tm10.ContentBlock(content_binding, content) elif version == 11: content_block = tm11.ContentBlock(tm11.ContentBinding(content_binding), content) if subtype: content_block.content_binding.subtype_ids.append(subtype) return content_block else: raise ValueError('Unknown TAXII message version: %s' % version)
def push(self, content, content_binding, collection_names=None, timestamp=None, uri=None): """Push content into Inbox Service. if ``uri`` is not provided, client will try to discover services and find Inbox Service among them. :param str content: content to push :param content_binding: content binding for a content :type content_binding: string or :py:class:`cabby.entities.ContentBinding` :param list collection_names: destination collection names :param datetime timestamp: timestamp label of the content block (current UTC time by default) :param str uri: URI path to a specific Inbox Service :raises ValueError: if URI provided is invalid or schema is not supported :raises `cabby.exceptions.HTTPError`: if HTTP error happened :raises `cabby.exceptions.UnsuccessfulStatusError`: if Status Message received and status_type is not `SUCCESS` :raises `cabby.exceptions.ServiceNotFoundError`: if no service found :raises `cabby.exceptions.AmbiguousServicesError`: more than one service with type specified :raises `cabby.exceptions.NoURIProvidedError`: no URI provided and client can't discover services """ content_block = tm11.ContentBlock( content=content, content_binding=pack_content_binding(content_binding, version=11), timestamp_label=timestamp or get_utc_now(), ) inbox_message = tm11.InboxMessage(message_id=self._generate_id(), content_blocks=[content_block]) if collection_names: inbox_message.destination_collection_names.extend(collection_names) self._execute_request(inbox_message, uri=uri, service_type=const.SVC_INBOX) self.log.debug("Content block successfully pushed")
def taxii_inbox(config, dest, stix_package=None, src=None, crits_id=None): '''inbox a stix package via taxii''' if src and crits_id: # check whether this has already been ingested sync_state = config['db'].get_object_id(src, dest, crits_id=crits_id) if sync_state and sync_state.get('crits_id', None): if config['daemon']['debug']: config['logger'].debug( log.log_messages['object_already_ingested'].format( src_type='crits', src_id=crits_id, src=src, dest_type='edge', dest=dest, dest_id=sync_state['edge_id'])) return(True) if stix_package: stixroot = lxml.etree.fromstring(stix_package.to_xml()) client = tc.HttpClient() client.setUseHttps(config['edge']['sites'][dest]['taxii']['ssl']) client.setAuthType(client.AUTH_BASIC) client.setAuthCredentials( {'username': config['edge']['sites'][dest]['taxii']['user'], 'password': config['edge']['sites'][dest]['taxii']['pass']}) message = tm11.InboxMessage(message_id=tm11.generate_message_id()) content_block = tm11.ContentBlock(content_binding=t.CB_STIX_XML_11, content=stixroot) if config['edge']['sites'][dest]['taxii']['collection'] != \ 'system.Default': message.destination_collection_names = \ [config['edge']['sites'][dest]['taxii']['collection']] message.content_blocks.append(content_block) if config['daemon']['debug']: config['logger'].debug( log.log_messages[ 'open_session'].format(type_='taxii', host=dest)) taxii_response = client.callTaxiiService2( config['edge']['sites'][dest]['host'], config['edge']['sites'][dest]['taxii']['path'], t.VID_TAXII_XML_11, message.to_xml(), port=config['edge']['sites'][dest]['taxii']['port']) if taxii_response.code != 200 or taxii_response.msg != 'OK': success = False config['logger'].error( log.log_messages[ 'inbox_error'].format(type_='taxii', host=dest, msg=taxii_response.msg)) else: success = True if config['daemon']['debug']: config['logger'].debug( log.log_messages['inbox_success'].format(type_='taxii', host=dest)) return(success)
def get_content_block(self, f): binding_map = { '.xlsx': ('application', 'vnd.openxmlformats-officedocument.spreadsheetml.sheet'), '.xls': ('application', 'vnd.ms-excel'), '.csv': ('text', 'csv'), '.json': ('application', 'json'), '.syslog': ('text', 'syslog') } # Check the file extension to see if it is a supported type name_part, ext_part = os.path.splitext(f.name) if ext_part.lower() == '.xml': cb = tm11.ContentBlock(tm11.ContentBinding(t.CB_STIX_XML_101), f.read()) else: binding_tuple = binding_map.get(ext_part.lower(), None) if not binding_tuple: logger.error( 'File extension not supported: %s. Supported extensions: %s' % (ext_part, binding_map.keys())) return # Read the file and create a MIME message for it maintype = binding_tuple[0] subtype = binding_tuple[ 1] # Note: This is MIME subtype, not TAXII subtype mime_msg = MIMENonMultipart(maintype, subtype) mime_msg.add_header('Content-Disposition', 'attachment', filename=f.name) mime_msg.set_payload(f.read()) encode_base64(mime_msg) cb = tm11.ContentBlock('%s/%s' % (maintype, subtype), mime_msg.as_string()) return cb
def push_11(self, stix_file_doc): self.debug_print('>>> push_11: enter') # stix_file_doc の versionが 2.0 ならスライド if stix_file_doc.version == '2.0': try: content = stix_file_doc.get_slide_1_x() except Exception as e: traceback.print_exc() raise e else: with open(stix_file_doc.origin_path, 'r', encoding='utf-8') as fp: content = fp.read() # Subscription Information xml作成 subscription_information = tm11.SubscriptionInformation( collection_name=self._collection_name, subscription_id='subscripiton_id') cb = tm11.ContentBlock(const.CB_STIX_XML_11, content) im = tm11.InboxMessage( message_id=tm11.generate_message_id(), destination_collection_names=[self._collection_name], subscription_information=subscription_information, content_blocks=[cb]) try: # push self._address = '10.0.3.100' # self.debug_print('>>> push_11: self._address:%s' %(self._address)) # self.debug_print('>>> push_11: self._path:%s' %(self._path)) # self.debug_print('>>> push_11: self._port:%d' %(self._port)) # self.debug_print('>>> push_11: self._collection_name:%s' %(self._collection_name)) # self.debug_print('>>> push_11: verify_server:%s' %(str(self._client.verify_server))) # self.debug_print('>>> push_11: use_https:%s' %(str(self._client.use_https))) http_resp = self._client.call_taxii_service2( self._address, self._path, const.VID_TAXII_XML_11, im.to_xml(), port=self._port) taxii_message = libtaxii.get_message_from_http_response( http_resp, im.message_id) if taxii_message.status_type != 'SUCCESS': self.debug_print('taxii_message.status_type is not SUCCESS') self.debug_print(taxii_message.to_xml(pretty_print=True)) raise Exception('taxii_message.status_type is not SUCCESS') except Exception as e: traceback.print_exc() self.debug_print(e) raise e
def push_11(self, stix_file_doc): if stix_file_doc.version.startswith('2.'): try: content = stix_file_doc.get_slide_12() except Exception as e: traceback.print_exc() raise e else: with open(stix_file_doc.origin_path, 'r', encoding='utf-8') as fp: content = fp.read() auth_credentials_dict = self._get_auth_credentials_dict() self._client.set_auth_credentials(auth_credentials_dict) try: subscription_information = tm11.SubscriptionInformation( collection_name=self._collection_name, subscription_id='subscripiton_id') cb = tm11.ContentBlock(const.CB_STIX_XML_11, content) im = tm11.InboxMessage( message_id=tm11.generate_message_id(), destination_collection_names=[self._collection_name], subscription_information=subscription_information, content_blocks=[cb]) http_resp = self._client.call_taxii_service2( self._address, self._path, const.VID_TAXII_XML_11, im.to_xml(), port=self._port) taxii_message = libtaxii.get_message_from_http_response( http_resp, im.message_id) if taxii_message.status_type != 'SUCCESS': raise Exception('taxii_message.status_type is not SUCCESS') except Exception as e: traceback.print_exc() raise e finally: if 'cert_file' in auth_credentials_dict: try: os.remove(auth_credentials_dict['cert_file']) except Exception: pass if 'key_file' in auth_credentials_dict: try: os.remove(auth_credentials_dict['key_file']) except Exception: pass
def gen_post(self, msg_type, xml): content_block = tm11.ContentBlock(tm11.ContentBinding(Client.BINDING_STIX), xml) if msg_type.lower() == 'inbox': post = tm11.InboxMessage(tm11.generate_message_id()) post.content_blocks.append(content_block) post.message = Client.CLIENT_MSG if self.subscription: post.subscription_id = self.subscription if self.collection: post.destination_collection_names.append(self.collection) return post
def create_request_message(self, args): if args.content_file is self.stix_watchlist: data = self.stix_watchlist else: with open(args.content_file, 'r') as f: data = f.read() cb = tm11.ContentBlock(tm11.ContentBinding(args.content_binding), data) if args.subtype is not None: cb.content_binding.subtype_ids.append(args.subtype) inbox_message = tm11.InboxMessage(message_id=tm11.generate_message_id(), content_blocks=[cb]) if args.dcn: inbox_message.destination_collection_names.append(args.dcn) return inbox_message
def content_block_entity_to_content_block(entity, version): content_bindings = content_binding_entity_to_content_binding( entity.content_binding, version=version) # Libtaxii requires content to be unicode content = (entity.content if isinstance(entity.content, six.string_types) else entity.content.decode('utf-8')) if version == 10: return tm10.ContentBlock(content_binding=content_bindings, content=content, timestamp_label=entity.timestamp_label) elif version == 11: return tm11.ContentBlock(content_binding=content_bindings, content=content, timestamp_label=entity.timestamp_label, message=entity.message)
def content_block_entity_to_content_block(entity, version): content_bindings = content_binding_entity_to_content_binding( entity.content_binding, version=version) if version == 10: return tm10.ContentBlock( content_binding=content_bindings, content=entity.content, timestamp_label=entity.timestamp_label, ) elif version == 11: return tm11.ContentBlock( content_binding=content_bindings, content=entity.content, timestamp_label=entity.timestamp_label, message=entity.message, )
def main(): config = ConfigParser.ConfigParser() config.read('app.conf') dstHost = config.get('taxii', 'dstHost') dstPort = config.get('taxii', 'dstPort') dstPath = config.get('taxii', 'dstPath') username = config.get('taxii', 'username') password = config.get('taxii', 'password') parser = argparse.ArgumentParser(description="Inbox Client") parser.add_argument( "--host", dest="host", default=dstHost, help="Host where the Inbox Service is hosted. Defaults to " + dstHost) parser.add_argument( "--port", dest="port", default=dstPort, help="Port where the Inbox Service is hosted. Defaults to " + dstPort) parser.add_argument( "--path", dest="path", default=dstPath, help="Path where the Inbox Service is hosted. Defaults to " + dstPath) parser.add_argument( "--content-binding", dest="content_binding", default=t.CB_STIX_XML_11, help="Content binding of the Content Block to send. Defaults to %s" % t.CB_STIX_XML_11) parser.add_argument( "--content-file", dest="content_file", default=stixContent, help="File name of the Content Block to send. Required.") args = parser.parse_args() if args.content_file is '': parser.print_help() sys.exit(1) _l.info('Starting...') c = open(args.content_file, 'r') cb = tmsg.ContentBlock(tmsg.ContentBinding(args.content_binding), c.read()) c.close() taxiiMsg = tmsg.InboxMessage(message_id=tmsg.generate_message_id(), content_blocks=[cb]) taxiiMsgXml = taxiiMsg.to_xml() # send it _l.debug('Uploading content.') client = tc.HttpClient() client.setProxy('noproxy') client.setAuthType(tc.HttpClient.AUTH_BASIC) client.setAuthCredentials({'username': username, 'password': password}) resp = client.callTaxiiService2(args.host, args.path, t.VID_TAXII_XML_11, taxiiMsgXml, args.port) response_message = t.get_message_from_http_response(resp, '0') _l.debug('Response was: ' + response_message.to_xml()) _l.info('Ended.')
def _get_content_block(self, content): return tm11.ContentBlock(const.CB_STIX_XML_11, content)
def main(): # "hardcoded" values ns = "urn:example.com:marks_malware_metadata_mart" ns_alias = "m4" # Set the STIX ID Namespace stix_namespace = {ns: ns_alias} stix_sin(stix_namespace) # Set the CybOX ID Namespace cybox_namespace = Namespace(ns, ns_alias) cybox_sin(cybox_namespace) ttp_id = 'ttp-d539bb85-9363-4814-83c8-fa9975045686' ttp_timestamp = '2014-09-30T15:56:27.000000+00:00' # Fake database values md5_hash = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' object_id = 'File-927731f2-cc2c-421c-a40e-dc6f4a6c75a4' observable_id = 'Observable-45e3e64c-8438-441e-bc49-51e417466e29' confidence = 'High' confidence_timestamp = '2014-09-29T14:32:00.000000' indicator_id = 'Indicator-54baefc1-4742-4b40-ba83-afd51115015b' indicator_timestamp = '2014-09-29T14:32:00.000000' # Code to create the STIX Package sp = STIXPackage() sp.stix_header = STIXHeader() sp.stix_header.title = "File Hash Reputation for %s" % md5_hash sp.stix_header.add_package_intent("Indicators - Malware Artifacts") sp.stix_header.information_source = InformationSource() sp.stix_header.information_source.identity = Identity() sp.stix_header.information_source.identity.name = "Mark's Malware Metadata Mart" file_hash = Hash(hash_value=md5_hash, type_='MD5', exact=True) file_hash.type_.condition = "Equals" file_obj = File() file_obj.id_ = (ns_alias + ':' + object_id) file_obj.add_hash(file_hash) indicator = Indicator(title="File Hash Reputation", id_=(ns_alias + ':' + indicator_id), timestamp=indicator_timestamp) indicator.indicator_type = "File Hash Reputation" indicator.add_observable(file_obj) indicator.observables[0].id_ = ns_alias + ':' + observable_id ttp = TTP() ttp.id_ = ns_alias + ':' + ttp_id ttp.timestamp = ttp_timestamp ttp.title = "Malicious File" indicator.add_indicated_ttp(TTP(idref=ttp.id_, timestamp=ttp.timestamp)) indicator.indicated_ttps[0].confidence = confidence indicator.indicated_ttps[0].confidence.timestamp = confidence_timestamp sp.add_indicator(indicator) sp.add_ttp(ttp) stix_xml = sp.to_xml() poll_response = tm11.PollResponse(message_id=generate_message_id(), in_response_to="1234", collection_name='file_hash_reputation') cb = tm11.ContentBlock(content_binding=CB_STIX_XML_111, content=stix_xml) poll_response.content_blocks.append(cb) print poll_response.to_xml(pretty_print=True)